Employees, IT Disagree Over Level of Mobile Security Controls

Employees are becoming more aware of the risks of using personal devices to access corporate resources and are somewhat willing to grant IT some control over their personal devices, according to a recent mobility survey from Blue Coat Systems.

Employees increasingly expect to have access to corporate assets and applications from their personal smartphones and mobile devices, Blue Coat said. A surprising number of employees were willing to grant IT some control over their personal devices, with 55 percent willing to have malware protection software installed and 58 percent were willing to meet passcode requirements placed on their devices, Blue Coat found in its mobility survey, released Tuesday.

Many organizations have shifted to accommodate the users and the bring-your-own-device trend (BYOD), defining mobile device management policies and setting minimum security requirements, Timothy Chiu, director of product marketing at Blue Coat, told SecurityWeek. While 64 percent of businesses said they would block personal devices from accessing any corporate applications if the employee didn't comply with policies, there seems to be a growing acceptance that IT needs to have some control over the devices joining the corporate network, Blue Coat found.

Some of the findings were "not quite what we expected," Chiu said. While the general trend was expected, Blue Coat was surprised by the numbers, he said.

In the survey of 350 respondents from large organizations in the United States, Canada, and other countries around the world, respondents were generally favorable to the idea of IT setting basic requirements such as anti-malware protection and passcodes to lock the screen. As the proposed IT controls became more stringent and intrusive, respondents were less receptive, Chiu said.

Only 24 percent of the respondents were willing to allow the network to log their attempts to access applications from the mobile device, and 19 percent were willing to have their Web activity from the mobile device logged, Blue Coat found. A mere 12 percent said IT could apply policies and restrict which types of sites and content they could reach over their mobile devices when using the corporate network, according to the survey.

Despite the positive trend for malware protection and passcodes, the numbers for these controls were "a little low. We wanted it higher," Chiu said.

The reluctance among users for more IT control poses a significant problem for IT as it can interfere with its own compliance requirements and make it harder to secure the network, Chiu said. For many organizations, logging when users access corporate resources, and noting where and what device was being used, is a compliance requirement. Restricting access to certain sites and logging Web content helps IT protect endpoints from infection and quickly detect if a botnet was operating within the network, Chiu said.

It's possible that employees don't realize they are already being tracked on other devices, so the request to log mobile device access feels like a new request, Chiu said. It is an "automatic reaction to think, 'No, I don't want to be logged,' since people are sensitive to privacy issues," he said. As people begin to realize what IT is already doing, they may become more comfortable with the controls being extended to mobile.

There also appears to be a significant perception gap between IT professionals and individual lines of business, the survey found. Approximately 42 percent of the respondents in the survey who had IT-related job titles, believed the risk of malware spreading from mobile devices to the corporate network was high, or very high. In contrast, 88 percent of non-IT respondents believed their mobile devices were somewhat or very secure from malware, Blue Coat said.

The gap extends to how much control each group is necessary. IT respondents in the survey wanted more control, as 41 percent said they expected being able to log access to corporate applications over personal devices. About 37 percent of IT respondents said they expected being able to enforcing restrictions on types of sites end-users could access. Even though the non-IT respondents were not willing to let IT do more, it appears that users are becoming aware of mobile risks, which may explain their willingness to give IT some level of control, Chiu said.

A total of 350 respondents participated in the survey. Respondents all worked in organizations of at least 2,000 employees in the United States, 500 employees in Canada, or 250 employees in other countries. IT professionals in the survey worked at organizations that officially allowed smartphones and tablet devices to access the corporate network, and non-IT personnel used mobile devices to access the network.

Fahmida Y. Rashid is a Senior Contributing Writer for SecurityWeek. She has experience writing and reviewing security, core Internet infrastructure, open source, networking, and storage. Before setting out her journalism shingle, she spent nine years as a help-desk technician, software and Web application developer, network administrator, and technology consultant.